Open MohammedAziz02 opened 2 months ago
@MohammedAziz02, python is an extremely challenging language. Given a version specifier like your example, different combination of python + pip might install completely different versions of direct and indirect dependencies. Here is how I personally generate the SBOM:
--deep
modeSometimes, using the container image of cdxgen might help, especially when using Windows or Mac, where many python dependencies wouldn't install correctly.
Always run cdxgen with the environment variable CDXGEN_DEBUG_MODE=debug
which will list all build errors.
You can also give the new un-official python image a try. Run the below command from within the application directory.
docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app -it ghcr.io/appthreat/cdxgen-python:v10 -r -o /app/bom.json /app -t python --deep
I have a python project with requirements.txt file that contains some dependencies like this one : "cryptography>=3.2.1,<43.0.0", when generating the Sbom using cdxgen -t python -o SBOM.json, I have pkg:pypi/cryptography@3.2.1%2C%3C43.0.0, which missed the precision, or sometimes like pkg:pypi/test@latest, is there is any way to have exactly the installed version in the sbom output ?